GoDaddy Hushing Up Customer Credit Card Data Breach?

Did domain name registrar GoDaddy have a credit card security breach that they’re not telling anyone about? That’s what Reader Newcxns thinks. Two weeks ago, one of his Citi cards was replaced. One week later, another. The only thing Citi would tell him is that “a merchant” reported a possible data breach. No merchant has sent any data breach reports to Newcxns. In typical fashion, banks and vendors like to hide it when their security systems fail and compromise your account information.

The only merchant in common on the two cards? GoDaddy.

Don’t merchants have an obligation to tell their customers about their failure to secure the account information their customers have entrusted them with?

(Photo: danesparza)

UPDATE: In the comments, GoDaddy says there was no breach.

My name is LaTrisha and I work in the GoDaddy.com Fraud Detection Unit. We noticed your posting and immediately reviewed our records. We found no breach on our end. As you might guess, we can not comment on other merchants’ situations but can assure you the problem was not with the customer’s GoDaddy.com account.

Comments

Edit Your Comment

  1. I think it’s strange that credit card companies won’t give you details about stuff like this. I had to have my Citibank card replaced about a month ago because of what I assume was the T.J. Maxx security breachxx. When I called Citibank, I asked about the specifics. “Your identity may have been compromised,” I was told by the CSR, “and that’s all I can say.”

    Why?

  2. edrift101 says:

    I really hope this isn’t true…

  3. extracrispy says:

    The merchant is TJ Maxx. When Citi replaced my credit card last month, the CSR told me it was due to a TJ Maxx security breach.

  4. Not that this is negative proof, but I have a number of domains registered with GoDaddy and haven’t received any replacments cards from Citi. Honestly, it would be pretty touch for me to figure out the common merchants between our two main credit cards. If you’ve *ever* made a charge at the same merchant with both cards (anytime during your cardholder history), then they should be on the list of suspects — it’s not just data from current charges that can be leaked.

  5. weave says:

    One can over-react to security breaches as well. For example, if a laptop is stolen with identities on them, chances are the thief is really just a thug who will reformat and sell the laptop. They have no clue what is on it. Does that mean a panic has to go out to all those possibly affected?

    I do think we, as consumers, need to be able to lock our credit accounts somehow, easily, online. Only we know when we desire to open up new accounts or make changes. I don’t understand why there is so much industry resistance to it. I believe that would help address this identity theft risk tremendously.

  6. harshmellow says:

    I think they should HAVE TO tell you what merchant caused it. Honestly, the merchant should be on the hook for much more if they do get a breach. I assume the new card they sent had a new account number? Who the hell thinks it’s OK to change my credit card account number without asking me (or telling me), when I could have countless other accounts using that same card? The catastrophic mess is easy for me to see…

  7. FLConsumer says:

    Did anyone ever figure out where the VIP TUNES thing came from? I’m still thinking it might have been Amazon.com, but no way to confirm.

  8. FLConsumer says:

    This also illustrates the benefit of using a credit card vs. debit card. Imagine your debit card # being stolen this way.

  9. extracrispy says:

    Here is a detailed article at Wall Street Journal about the TJ Maxx security breach. It affected all retailers owned by the TJX parent company including TJ Maxx, Marshalls, Home Goods and AJ Wright. At least 45.7 million credit and debit card numbers were stolen, making it the largest known theft of credit card numbers in history.

    [online.wsj.com]

  10. JeffMc says:

    This might explain why a couple weeks back I had some fraudulent charges show up on my credit card. It’s a card I haven’t been using lately (moved to one that gives points) so I was confused that it should have weird charges show up but it IS the one that GoDaddy had on file.

  11. Mike_ says:

    Doesn’t California law require customers be notified of this sort of security breach?

  12. LTS! says:

    NYS law also required companies to notify those people who have had their personal data compromised. The details of what comprises personal data is listed there and while I don’t think a simple CC# would meet the requirements having that along with your address, etc. does. I’ve heard nothing and I have accounts with GoDaddy.com.

    I would simply close my accounts with Citi since they cannot be forthcoming about what is happening with your account. You are in a business relationship and accepting responses like that would not cut it if they tried telling a large corporation that their financial information had been breached. It should not be acceptable to you. Close your accounts.

  13. coan_net says:

    I’ve only been in a TJ Maxx store once in my life – the day after Thanksgiving 2006 while I was at my sister-in-laws. And early 2007, I got a new card because of it. Well they did not tell me why, but that was when it was first in the news.

    I get stuff from GoDaddy.com all the time, and they have not replaced my card yet.

  14. rlee says:

    I’m pretty much in agreement with the others re TJ Maxx. My Citi card got replaced a few months ago due to unspecified suspected compromise, and I assumed it was TJ Maxx even though I don’t remember shopping at any of them — certainly not recently. Perhaps Citi isn’t going off a list from them, but casting a wider net? (No, in my case it can’t be GoDaddy.)

  15. Buran says:

    @weave: Yes, it can and should. NEVER assume that someone who has your financial info will not do anything with it!

  16. Buran says:

    @loquaciousmusic: “My trust in you may have been compromised. I am closing my account, and that’s all I can say.” *CLICK*

  17. Mary says:

    @FLConsumer: “This also illustrates the benefit of using a credit card vs. debit card. Imagine your debit card # being stolen this way.”

    Oh, I don’t have to imagine it.

    A few months ago, a charge I didn’t make appeared on my Citibank debit card. I called, they put a hold on it until I took care of it with the merchant.

    A few weeks later, when everything was still being investigated, $400 in other charges I didn’t make showed up on the card. I called Citibank, and instantly they’d shut down my account, mailed me a new debit card (overnight, at their expense) and put a hold on all of those purchases that I said I didn’t make.

    I wasn’t held liable for any of them, I have a new debit card, and all is (currently) well.

    And actually, I do use GoDaddy. But I’m not certain I used that card for the transaction. It’s worth looking into though.

  18. simplybeebo says:

    Bizarre, but related: last night I got a call on my cell phone, and the caller ID indicated that it was my mom. However, upon answering, it turned out that I was ‘listening in’ on a call to GoDaddy by a mystery gentleman.
    It was wierd.

  19. LegalBill says:

    In addition to the federal Fair Credit Reporting Act, which requires disclosure of data theft to consumers and law enforcement (see FTC publication here: [www.ftc.gov]), many states also have state-level laws requiring that business provide notice of data breaches. I’ve included a non-exclusive list by states below.

    Furthermore, the failure of a business to safeguard consumer information may be a violation of the federal Gramm-Leach-Bliley Act privacy and security regulations for those covered by that act.

    • Arkansas, Personal Information Protection Act, 2005 Ark. Acts 1526 (codified at ARK. CODE ANN. §§ 4-110-101–108) (eff. Mar.31, 2005)
    • California, California Financial Information Privacy Act, 2003 Cal. Stat. 241 (S.B.1) (operative July 1, 2004) (codified at CAL. FIN. CODE §§ 4050-4060)
    • Connecticut, An Act Requiring Consumer Credit Bureaus To Offer Security Freezes, 2005 Conn. Acts 05-148 (Reg. Sess.) (codified at CON. GEN. STAT. §§ 36a-701–701b) (eff. Jan. 1, 2006)
    • Delaware. Computer security breaches, 75 Del. Laws ch. 61 (H.B. 116) (codified at DEL. CODE ANN. tit. 6, §§ 12B-101–104) (eff. June 28, 2005)
    • Florida, Identity & identification–fraud, 2005 Fla. Sess. Law Serv. ch. 2005-229 (H.B. 481) (codified at FLA. STAT. ANN. §§ 817.568–5681) (eff. July 1, 2005)
    • Georgia, Identity theft, 2005 Ga. Laws Act 163 (S.B. 230) (codified at GA. CODE ANN. §§ 10-1-910–912) (eff. May 5, 2005)
    • Illinois, Personal Information Protection Act, 2005 Ill. Laws 94-36 (H.B. 1633), (codified at 815 ILL. COMP. STAT. 530/1–20) (eff. Jan. 1, 2006)
    • Indiana, Release of Social Security Number, 2005 Ind. Legis. Serv. P.L. 91-2005 (S.E.A. 503) (West) (codified at IND. CODE §§ 4-1-11-1–10) (eff. July 1, 2006)
    • Kansas, 2006 Kan. Sess. L. 149 (codified at Kan. Stat. Ann §§ 50-7a01 through -7a04)(eff. July 1, 2006)
    • Louisiana, Database Security Breach Notification 2005 La. Sess. Law Serv. Act 499 (S.B. 205) (West) (codified at LA. REV. STAT. ANN. §§ 51:3071–77) (eff. Jan. 1, 2006 pending rulemaking by Attorney General)
    • Maine, Notice of Risk to Personal Data Act, 2005 Me. Legis. Serv. Ch. 379 (H.P. 1180) (L.D. 1671) (West) (codified at ME. REV. STAT. tit. 10, §§ 1346–49) (eff. Jan. 31, 2006)
    • Minnesota, Personal data–notice required for certain disclosures, 2005 Minn. Laws ch. 167 (H.F. 2121) (codified at MINN. STAT. § 325E.61) (eff. Jan. 1, 2006) and for State agencies, Disclosure of breach in security, 2005 Minn. Laws ch. 163 § 21 (H.F. 225) (codified at MINN. STAT. § 13.055) (eff. Aug. 1, 2005)
    • Montana, Identity theft–privacy–prevention, 2005 Montana Laws ch. 518, §§ 7 and 9 (H.B. 732) (codified at MONT. CODE ANN. §§ 30-14-1704 and 33-19-321) (eff. Mar.1, 2006)
    • Nevada, Personal identifying information–data protection, 2005 Nev. Stat. ch. 485 (codified at NEV. REV. STAT. § 603A.010–.920) (eff. Jan. 1, 2006)
    • New York, Information Security Breach and Notification Act, 2005 N.Y. Sess. Laws Ch. 442 (A. 4254-A) (codified at N.Y. GEN. BUS. LAW § 899-aa and N.Y. STATE TECH. LAW § 208) (eff. Dec. 7, 2005)
    • North Dakota, Security breach for personal information, 2005 N.D. Laws ch. 447 (S.B. 2251) (codified at N.D. CENT. CODE §§ 51-30-01–07) (eff. June 1, 2005)
    • Rhode Island, Identity Theft Protection Act, 2005 R.I. Pub. Laws ch. 225 (05-H 6191A) (codified at R.I. GEN. LAWS § 11-49.2-1–7) (eff. Mar. 1, 2006)
    • Tennessee, Consumer protection–personal information, 2005 Tenn. Laws Pub. ch. 473 (S.B. 2220) (codified at TENN. CODE ANN. § 47-18-2101–07) (eff. July 1, 2005)
    • Texas, Identity Theft Enforcement & Protection Act, 2005 Tex. Sess. Law Serv. ch. 294 (S.B. 122) (codified at TEX. BUS. & COM. CODE ANN. §§ 48.001–.203) (eff. Sept. 1, 2005)
    • Washington, Personal information–security, 2005 Wash. Legis. Serv. ch. 368 (S.S.B. 6043) (codified at WASH. REV. CODE § 19.255.010) (eff. July 24, 2005)

    Hope this is helpful!

  20. BrockBrockman says:

    ^ Yeah, that’s pretty helpful. Thanks

  21. Anonymous says:

    My Bank of America credit card was recently hit for over $3,000 for Corbis (the stock photography company owned by Bill Gates), Epoch.com (sounds scammy), and some New Democratic Party in Canada. BoA saw that, reversed the charges, and sent me a new card.

    I do business with GoDaddy but I don’t know if I gave them that card. BoA’s online system only shows the last 12 statements and there’s nothing from GD on them. But if it was, I think it was before that.

  22. TPK says:

    It is infuriating that YOUR credit card company won’t tell you which of YOUR vendors had the security problem. Who is the customer here? Who pays for their services? Apparently the credit card company is looking out for the vendors and not their customers! How can people who think like this stay in business?

  23. MissUpsetter says:

    I worked for godaddy for an underwhelming 5 days. I quit after that just because their policy was so damn loose, and I was against their “secret selling” policy. The staff there in my short time seemed very unprofessional, and seemed to only be about the number of employees, not the quality of them. I did training for one week and learned absolutely nothing. They give you a help guide & that’s it. People leave personal information (seemingly) all over the place. I’ve never “up and ran” from a job, but I had to with this one. It was that bad. Be careful buying stuff online with anyone, but be careful calling into this company.

  24. Anonymous says:

    My name is LaTrisha and I work in the GoDaddy.com Fraud Detection Unit. We noticed your posting and immediately reviewed our records. We found no breach on our end. As you might guess, we can not comment on other merchants’ situations but can assure you the problem was not with the customer’s GoDaddy.com account.

  25. kimmie says:

    Hmm. I keep

  26. kimmie says:

    Hmm… I keep my Visa on file with my GoDaddy account for auto-renewals. They’d be required to notify at least California customers of any breach, and I havent heard anything. The message from the above fraud dept is reassuring.

  27. digitalgimpus says:

    I guess this is why you need to keep your eyes open.

    The “official” message above is pretty meaningless to me. The post itself is titled “GoDaddy Hushing Up Customer Credit Card Data Breach?”. They say it’s not true. That’s not really reassuring. China says their exports are still very safe.

    It could be 100% accurate that there was no breach… but a comment here doesn’t serve as proof to me. I’m a skeptic. But I hope there is no breach.

    That said, I have an account with them. I keep a close eye on my credit card statements in case something like this happens.

  28. allstarecho says:

    I sure hope Consumerist investigated GODADDYFRAUDDEPT and made sure it’s a real person from GoDaddy before posting GODADDYFRAUDDEPT’s comments up in the article as the gospel of what happened…

  29. Imaginary_Friend says:

    Crap like this just keeps happening; I’ve lost confidence in ALL of these companies to keep my data safe. They don’t care because the financial repercussion to them are minimal. Until stronger laws are enacted to punish these merchants for their negligence and security breaches, they will continue to play fast and loose with our private data.

    The only thing we, as consumers, can do is badger our elected representative to fix this mess. That, and use one-time-use credit card numbers whenever possible. Citicard allows this, but American Express discontinued their program because they claim it wasn’t very popular. Yeah, right. Guess which card I use the most?

  30. remthewanderer says:

    I know it may be a reach but I got a new HSBC GM card in the mail today due to a data breach. This is the same card that my auto renewing GoDaddy account is associated with.

  31. rad_thundercat says:

    I paid GoDaddy for hosting with my card online on 10/16. 10/17 I get charges from AT&T ESOR, FINISHLINE, PUMA, OLDNAVY ONLINE, SHOEMALL, and others that didn’t show up on my online activity but got rattled off by the cc fraud department.

    Of course they’re going to deny it. That’s some pretty pathetic damage control LaTrisha. Your not going to get the complacent reactions on the web that you would from the mainstream press. When multiple patterns of fraud emerge and GoDaddy is the constant, we know whats going on.